Description: allow sandboxed code to call gettime64 Add __NR_clock_gettime64 and __NR_clock_nanosleep_time64 to syscall whitelist and clock selection parameter filtering code. Add __NR_utimensat_time64 to syscall whitelist Conditionalise additions on the new calls existing, because they do not exist on 64-bit architectures. Author: Peter Michael Green Index: chromium-83.0.4103.116/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc =================================================================== --- sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -148,7 +148,11 @@ ResultExpr EvaluateSyscallImpl(int fs_de return Allow(); #endif +#ifdef __NR_clock_gettime64 + if (sysno == __NR_clock_gettime || sysno == __NR_clock_gettime64 || sysno == __NR_clock_nanosleep || sysno == __NR_clock_nanosleep_time64) { +#else if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) { +#endif return RestrictClockID(); } Index: chromium-83.0.4103.116/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc =================================================================== --- sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -38,6 +38,10 @@ bool SyscallSets::IsAllowedGettime(int s case __NR_clock_getres: // Allowed only on Android with parameters // filtered by RestrictClokID(). case __NR_clock_gettime: // Parameters filtered by RestrictClockID(). +#ifdef __NR_clock_gettime64 + case __NR_clock_gettime64: // Parameters filtered by RestrictClockID(). + case __NR_clock_nanosleep_time64: // Parameters filtered by RestrictClockID(). +#endif case __NR_clock_nanosleep: // Parameters filtered by RestrictClockID(). case __NR_clock_settime: // Privileged. #if defined(__i386__) || \ @@ -159,6 +163,9 @@ bool SyscallSets::IsFileSystem(int sysno case __NR_utime: #endif case __NR_utimensat: // New. +#ifdef __NR_utimensat_time64 + case __NR_utimensat_time64: +#endif return true; default: return false;